09-18-2009 04:03 AM - edited 03-04-2019 06:05 AM
How is it possible a router sends 1448 bytes of ftp data (frame size is 1514) but not sending 1394 bytes of ftp data (frame size is 1460) over an ipsec tunnel, the router sends ICMP destination unrechable message to the source, the ipsec tunnel mtu is 1476..
Any idea about allowing ICMP destination unrechable message on windows firewall..
09-18-2009 04:41 AM
The windows firewall does not allow incoming destination unreachable. You must wither disable the windows firewall - or set you MTU to a lower value, so when the tcp session is negotiated, a lower MSS is chosen; that fits into you tunnel MTU with all overheads.
HTH>
09-18-2009 05:33 AM
Andrew
How do i reduce the size of the MTU in the system.. guidance plz..
09-18-2009 05:36 AM
You do that in the registry but there is a freeware in the internet with a GUI interface http://www.dslreports.com/drtcp
HTH,
__
Edison.
09-21-2009 07:02 AM
How is it possible the router sends 1512 frame over ipsec tunnel (tunnel mtu is 1476) and not sending 1460 bytes frame over the same tunnel..
09-21-2009 07:06 AM
As long as the DF = Do not Fragment bit is NOT set, then the router will fragment the packets.
A few applications will set the DF bit - as they require it, and the router will NOT fragment the packet, and drop it.
09-21-2009 07:09 AM
Andrew
Both the system use the same application, the only difference is both of them geographically located in a different location
09-21-2009 07:12 AM
Can you confirm the following:-
1) Is the DF bit set in the TCP header
2) What the MTU on the NIC's are @ both ends
3) What the MSS is negotiated within the TCP session establishment is?
09-21-2009 07:15 AM
DF bit is set in both the cases
How do i check the MTU of the NIC card?
MSS is negotiated to 1460
09-21-2009 07:19 AM
If that is indeed the case - then I am very surprised that it works at all.
If the DF bit is set, and the overall packet site is bigger than the MTU of the tunnel the router will drop it, and send an icmp packet "fragmentation required" message.
When you perform a packet capture on the end devices, do you see this?
d/l and install the below, this will tell you the nic mtu size and allow you to change it
09-21-2009 07:21 AM
I tried this but this does not tell the current mtu...
09-21-2009 07:26 AM
goto start<>run<>regedit
hkey_local_machine
system
currentcontrolset
services
tcpip
interface
<
look for the registry setting called MTU - if there is one, then it will be any number other than 1500.
if there is no registry setting called MTU under the nic card - then it's the default mtu of 1500.
09-21-2009 07:30 AM
I do not see any MTU so its default...
09-21-2009 07:32 AM
so 1500 - with the DF bit, and a MSS of 1460, a device would drop the packet.
You need to do some packet captures to confirm that this is actually the case on the specific application.
Do you have any device in the path of the tcp session - that could perform a TCP MSS adjust?
09-21-2009 07:34 AM
let me send u some attachments..
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: